cleanups and code fixes incl templ

internal/settings/settings.go

@@ -106,6 +106,7 @@ func (s *Settings) ReadYMLSettings() error {
 
 	// Init new YAML decode
 	d := yaml.NewDecoder(file)
+	d.KnownFields(true)
 
 	// Start YAML decoding from file
 	if err := d.Decode(&settings); err != nil {
@@ -149,9 +150,9 @@ func (s *Settings) WriteYMLSettings() error {
 		return fmt.Errorf("unable to encode settings file: %w", err)
 	}
 
-	mode := os.FileMode(0o644)
+	mode := os.FileMode(0o600)
 	if info, err := os.Stat(s.SettingsPath); err == nil {
-		mode = info.Mode().Perm()
+		mode = secureSettingsFileMode(info.Mode().Perm())
 	}
 
 	dir := filepath.Dir(s.SettingsPath)
@@ -181,3 +182,10 @@ func (s *Settings) WriteYMLSettings() error {
 
 	return nil
 }
+
+func secureSettingsFileMode(mode os.FileMode) os.FileMode {
+	// Ensure owner read/write, strip world permissions and all execute bits.
+	secured := mode & 0o660
+	secured |= 0o600
+	return secured
+}